amadey | 565d0a671870bbc0e6d64868a7794be7d6372b854adc93e35a960d4d099f31ae

Analysis

max time kernel
197s
max time network
201s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67cd1490efb341d09358ae5e0e0cd3dd.exe
Size

1.1MB
MD5

67cd1490efb341d09358ae5e0e0cd3dd
SHA1

bc08a25ccf24bb037c179c8fef8ce8a121bfd235
SHA256

565d0a671870bbc0e6d64868a7794be7d6372b854adc93e35a960d4d099f31ae
SHA512

dbc43a83fc4da74e2ca8100ba5e68237326f8d4742efd03d71e216919657ab7a434d9c722a30ae68c0558b3d96d55b4acdef920839e0f8c3df5a79ec9e4d0075
SSDEEP

24576:xy9/kJyCg/+vK2aezBam/WqHHtLGlXeXVXFFnG4qe:kOvuuKg1acRHHtKJeFXFFnw

Score

10^/10

amadey healer redline smokeloader breha backdoor dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

breha

77.91.124.55:19071

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral2/files/0x000700000002321c-117.dat	healer
behavioral2/files/0x000700000002321c-120.dat	healer
behavioral2/memory/3596-123-0x0000000000F00000-0x0000000000F0A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	332B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	332B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	332B.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	332B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	332B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	332B.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/244-91-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	34B3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	301.bat

Executes dropped EXE 20 IoCs

pid	Process
3228	Da3Rx56.exe
2920	rU6ZO79.exe
2064	Xw2Nn48.exe
4628	1aZ93vP4.exe
1440	2LC5346.exe
3408	3Ga23OJ.exe
4428	DBD0.exe
4908	EE4F.exe
2376	kG8Vz5sR.exe
648	wI8GV1hb.exe
4924	4NT281oj.exe
2280	301.bat
1020	1179.exe
3476	iX4rG7xq.exe
4044	hc3fE5ZP.exe
3596	332B.exe
4128	1IJ35UM4.exe
4268	34B3.exe
2288	gdhvfuu
4008	5kS6iX1.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	332B.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Da3Rx56.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	rU6ZO79.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Xw2Nn48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	wI8GV1hb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	67cd1490efb341d09358ae5e0e0cd3dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	DBD0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kG8Vz5sR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	iX4rG7xq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\""	hc3fE5ZP.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 4628 set thread context of 4560	4628	1aZ93vP4.exe	92
PID 1440 set thread context of 1340	1440	2LC5346.exe	99
PID 3408 set thread context of 3300	3408	3Ga23OJ.exe	106
PID 4908 set thread context of 3820	4908	EE4F.exe	114
PID 4924 set thread context of 244	4924	4NT281oj.exe	120
PID 1020 set thread context of 4452	1020	1179.exe	126
PID 4128 set thread context of 3952	4128	1IJ35UM4.exe	131

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

pid	pid_target	Process	procid_target
2572	4628	WerFault.exe	91
2472	1440	WerFault.exe	97
2340	1340	WerFault.exe	99
4404	3408	WerFault.exe	105
2904	4908	WerFault.exe	110
2080	4924	WerFault.exe	118
2208	1020	WerFault.exe	123
880	4128	WerFault.exe	129

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4560	AppLaunch.exe
4560	AppLaunch.exe
3300	AppLaunch.exe
3300	AppLaunch.exe
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found
3272	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3272	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3300	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	4560	AppLaunch.exe
Token: SeShutdownPrivilege	3272	Process not Found
Token: SeCreatePagefilePrivilege	3272	Process not Found
Token: SeShutdownPrivilege	3272	Process not Found
Token: SeCreatePagefilePrivilege	3272	Process not Found
Token: SeShutdownPrivilege	3272	Process not Found
Token: SeCreatePagefilePrivilege	3272	Process not Found
Token: SeShutdownPrivilege	3272	Process not Found
Token: SeCreatePagefilePrivilege	3272	Process not Found
Token: SeDebugPrivilege	3596	332B.exe
Token: SeShutdownPrivilege	3272	Process not Found
Token: SeCreatePagefilePrivilege	3272	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 3228	4904	67cd1490efb341d09358ae5e0e0cd3dd.exe	87
PID 4904 wrote to memory of 3228	4904	67cd1490efb341d09358ae5e0e0cd3dd.exe	87
PID 4904 wrote to memory of 3228	4904	67cd1490efb341d09358ae5e0e0cd3dd.exe	87
PID 3228 wrote to memory of 2920	3228	Da3Rx56.exe	89
PID 3228 wrote to memory of 2920	3228	Da3Rx56.exe	89
PID 3228 wrote to memory of 2920	3228	Da3Rx56.exe	89
PID 2920 wrote to memory of 2064	2920	rU6ZO79.exe	90
PID 2920 wrote to memory of 2064	2920	rU6ZO79.exe	90
PID 2920 wrote to memory of 2064	2920	rU6ZO79.exe	90
PID 2064 wrote to memory of 4628	2064	Xw2Nn48.exe	91
PID 2064 wrote to memory of 4628	2064	Xw2Nn48.exe	91
PID 2064 wrote to memory of 4628	2064	Xw2Nn48.exe	91
PID 4628 wrote to memory of 4560	4628	1aZ93vP4.exe	92
PID 4628 wrote to memory of 4560	4628	1aZ93vP4.exe	92
PID 4628 wrote to memory of 4560	4628	1aZ93vP4.exe	92
PID 4628 wrote to memory of 4560	4628	1aZ93vP4.exe	92
PID 4628 wrote to memory of 4560	4628	1aZ93vP4.exe	92
PID 4628 wrote to memory of 4560	4628	1aZ93vP4.exe	92
PID 4628 wrote to memory of 4560	4628	1aZ93vP4.exe	92
PID 4628 wrote to memory of 4560	4628	1aZ93vP4.exe	92
PID 2064 wrote to memory of 1440	2064	Xw2Nn48.exe	97
PID 2064 wrote to memory of 1440	2064	Xw2Nn48.exe	97
PID 2064 wrote to memory of 1440	2064	Xw2Nn48.exe	97
PID 1440 wrote to memory of 1340	1440	2LC5346.exe	99
PID 1440 wrote to memory of 1340	1440	2LC5346.exe	99
PID 1440 wrote to memory of 1340	1440	2LC5346.exe	99
PID 1440 wrote to memory of 1340	1440	2LC5346.exe	99
PID 1440 wrote to memory of 1340	1440	2LC5346.exe	99
PID 1440 wrote to memory of 1340	1440	2LC5346.exe	99
PID 1440 wrote to memory of 1340	1440	2LC5346.exe	99
PID 1440 wrote to memory of 1340	1440	2LC5346.exe	99
PID 1440 wrote to memory of 1340	1440	2LC5346.exe	99
PID 1440 wrote to memory of 1340	1440	2LC5346.exe	99
PID 2920 wrote to memory of 3408	2920	rU6ZO79.exe	105
PID 2920 wrote to memory of 3408	2920	rU6ZO79.exe	105
PID 2920 wrote to memory of 3408	2920	rU6ZO79.exe	105
PID 3408 wrote to memory of 3300	3408	3Ga23OJ.exe	106
PID 3408 wrote to memory of 3300	3408	3Ga23OJ.exe	106
PID 3408 wrote to memory of 3300	3408	3Ga23OJ.exe	106
PID 3408 wrote to memory of 3300	3408	3Ga23OJ.exe	106
PID 3408 wrote to memory of 3300	3408	3Ga23OJ.exe	106
PID 3408 wrote to memory of 3300	3408	3Ga23OJ.exe	106
PID 3272 wrote to memory of 4428	3272	Process not Found	109
PID 3272 wrote to memory of 4428	3272	Process not Found	109
PID 3272 wrote to memory of 4428	3272	Process not Found	109
PID 3272 wrote to memory of 4908	3272	Process not Found	110
PID 3272 wrote to memory of 4908	3272	Process not Found	110
PID 3272 wrote to memory of 4908	3272	Process not Found	110
PID 4428 wrote to memory of 2376	4428	DBD0.exe	111
PID 4428 wrote to memory of 2376	4428	DBD0.exe	111
PID 4428 wrote to memory of 2376	4428	DBD0.exe	111
PID 4908 wrote to memory of 3356	4908	EE4F.exe	112
PID 4908 wrote to memory of 3356	4908	EE4F.exe	112
PID 4908 wrote to memory of 3356	4908	EE4F.exe	112
PID 4908 wrote to memory of 4792	4908	EE4F.exe	113
PID 4908 wrote to memory of 4792	4908	EE4F.exe	113
PID 4908 wrote to memory of 4792	4908	EE4F.exe	113
PID 4908 wrote to memory of 3820	4908	EE4F.exe	114
PID 4908 wrote to memory of 3820	4908	EE4F.exe	114
PID 4908 wrote to memory of 3820	4908	EE4F.exe	114
PID 4908 wrote to memory of 3820	4908	EE4F.exe	114
PID 4908 wrote to memory of 3820	4908	EE4F.exe	114
PID 4908 wrote to memory of 3820	4908	EE4F.exe	114
PID 4908 wrote to memory of 3820	4908	EE4F.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\67cd1490efb341d09358ae5e0e0cd3dd.exe
"C:\Users\Admin\AppData\Local\Temp\67cd1490efb341d09358ae5e0e0cd3dd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Da3Rx56.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Da3Rx56.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3228
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rU6ZO79.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rU6ZO79.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xw2Nn48.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xw2Nn48.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2064
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1aZ93vP4.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1aZ93vP4.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4628
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4560
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 572
        6⤵
        Program crash
        
        PID:2572
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2LC5346.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2LC5346.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1440
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 540
        7⤵
        Program crash
        
        PID:2340
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 572
        6⤵
        Program crash
        
        PID:2472
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Ga23OJ.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Ga23OJ.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3408
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:3300
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 592
        5⤵
        Program crash
        
        PID:4404
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4NT281oj.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4NT281oj.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4924
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:244
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 572
      4⤵
      Program crash
      PID:2080
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5kS6iX1.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5kS6iX1.exe
  2⤵
  - Executes dropped EXE
  PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4628 -ip 4628
1⤵
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1440 -ip 1440
1⤵
PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1340 -ip 1340
1⤵
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3408 -ip 3408
1⤵
PID:2460

C:\Users\Admin\AppData\Local\Temp\DBD0.exe
C:\Users\Admin\AppData\Local\Temp\DBD0.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kG8Vz5sR.exe
  C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kG8Vz5sR.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2376
- - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wI8GV1hb.exe
    C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wI8GV1hb.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:648
  - - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iX4rG7xq.exe
      C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iX4rG7xq.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:3476
    - - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\hc3fE5ZP.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\hc3fE5ZP.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4044
      - C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1IJ35UM4.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1IJ35UM4.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4128
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 572
        7⤵
        Program crash
        
        PID:880

C:\Users\Admin\AppData\Local\Temp\EE4F.exe
C:\Users\Admin\AppData\Local\Temp\EE4F.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3820
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 420
  2⤵
  - Program crash
  PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4908 -ip 4908
1⤵
PID:456

C:\Users\Admin\AppData\Local\Temp\301.bat
"C:\Users\Admin\AppData\Local\Temp\301.bat"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4924 -ip 4924
1⤵
PID:1228

C:\Users\Admin\AppData\Local\Temp\1179.exe
C:\Users\Admin\AppData\Local\Temp\1179.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4452
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 388
  2⤵
  - Program crash
  PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1020 -ip 1020
1⤵
PID:2124

C:\Users\Admin\AppData\Local\Temp\332B.exe
C:\Users\Admin\AppData\Local\Temp\332B.exe
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4128 -ip 4128
1⤵
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3952 -ip 3952
1⤵
PID:4560

C:\Users\Admin\AppData\Local\Temp\34B3.exe
C:\Users\Admin\AppData\Local\Temp\34B3.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4268

C:\Users\Admin\AppData\Roaming\gdhvfuu
C:\Users\Admin\AppData\Roaming\gdhvfuu
1⤵
- Executes dropped EXE
PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\1179.exe

Filesize
485KB

MD5
0de88e83b166d6a92bdf0a71b6133839

SHA1
4a5756f9dc8dffb148a14fa3e76d720b218be1af

SHA256
47ce47ff2e1e626a746c9de5bc4a4b398efb16a77ee173670dacd14394eca999

SHA512
1bdf7a260aa3e3aad8841aab2ea9f62d6ca23bf3bb3a083feaacc171567f4d9d5eb23e74a89bb96b8a84ded2727c90c077d61a21d787d96858ad571c638e3263

Download Submit
C:\Users\Admin\AppData\Local\Temp\1179.exe

Filesize
485KB

MD5
0de88e83b166d6a92bdf0a71b6133839

SHA1
4a5756f9dc8dffb148a14fa3e76d720b218be1af

SHA256
47ce47ff2e1e626a746c9de5bc4a4b398efb16a77ee173670dacd14394eca999

SHA512
1bdf7a260aa3e3aad8841aab2ea9f62d6ca23bf3bb3a083feaacc171567f4d9d5eb23e74a89bb96b8a84ded2727c90c077d61a21d787d96858ad571c638e3263

Download Submit
C:\Users\Admin\AppData\Local\Temp\301.bat

Filesize
97KB

MD5
6b163af84a7f4053a16696f672e44a42

SHA1
02fcc16498120b95d5f6c282f8299b65fa27138a

SHA256
fe5c16fdd9a4a01f68d98ff5b0f971b4f420e27d66a700a52c9ad53bea6bd254

SHA512
941c1efe71cf43cef79472e3c0ec4929d62385e23df1065fa92629e22073f5521bf117fa35c6adc24d24da46f5b2de99d4590188c8f310eb42f5fb888b7b5f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\301.bat

Filesize
97KB

MD5
6b163af84a7f4053a16696f672e44a42

SHA1
02fcc16498120b95d5f6c282f8299b65fa27138a

SHA256
fe5c16fdd9a4a01f68d98ff5b0f971b4f420e27d66a700a52c9ad53bea6bd254

SHA512
941c1efe71cf43cef79472e3c0ec4929d62385e23df1065fa92629e22073f5521bf117fa35c6adc24d24da46f5b2de99d4590188c8f310eb42f5fb888b7b5f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\301.bat

Filesize
97KB

MD5
6b163af84a7f4053a16696f672e44a42

SHA1
02fcc16498120b95d5f6c282f8299b65fa27138a

SHA256
fe5c16fdd9a4a01f68d98ff5b0f971b4f420e27d66a700a52c9ad53bea6bd254

SHA512
941c1efe71cf43cef79472e3c0ec4929d62385e23df1065fa92629e22073f5521bf117fa35c6adc24d24da46f5b2de99d4590188c8f310eb42f5fb888b7b5f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\332B.exe

Filesize
21KB

MD5
57543bf9a439bf01773d3d508a221fda

SHA1
5728a0b9f1856aa5183d15ba00774428be720c35

SHA256
70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e

SHA512
28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

Download Submit
C:\Users\Admin\AppData\Local\Temp\332B.exe

Filesize
21KB

MD5
57543bf9a439bf01773d3d508a221fda

SHA1
5728a0b9f1856aa5183d15ba00774428be720c35

SHA256
70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e

SHA512
28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

Download Submit
C:\Users\Admin\AppData\Local\Temp\34B3.exe

Filesize
229KB

MD5
78e5bc5b95cf1717fc889f1871f5daf6

SHA1
65169a87dd4a0121cd84c9094d58686be468a74a

SHA256
7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966

SHA512
d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

Download Submit
C:\Users\Admin\AppData\Local\Temp\34B3.exe

Filesize
229KB

MD5
78e5bc5b95cf1717fc889f1871f5daf6

SHA1
65169a87dd4a0121cd84c9094d58686be468a74a

SHA256
7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966

SHA512
d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

Download Submit
C:\Users\Admin\AppData\Local\Temp\DBD0.exe

Filesize
1.2MB

MD5
058d9f66f904c82d39a0a6b3a4121e93

SHA1
87a5b194ab797cfd4c74d9dee8d7ad3c76687c6d

SHA256
5b9550c2804391432f7b4bbd37aec1c8d835099706539612582dbccb2303d39e

SHA512
4898932b1882cb4ec07164d0e475d418d1aa2d80c7c4382ded33b08cb42ad256746db8454b730468804580d1c2095758287236844b8c42e9db910519a2743df6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DBD0.exe

Filesize
1.2MB

MD5
058d9f66f904c82d39a0a6b3a4121e93

SHA1
87a5b194ab797cfd4c74d9dee8d7ad3c76687c6d

SHA256
5b9550c2804391432f7b4bbd37aec1c8d835099706539612582dbccb2303d39e

SHA512
4898932b1882cb4ec07164d0e475d418d1aa2d80c7c4382ded33b08cb42ad256746db8454b730468804580d1c2095758287236844b8c42e9db910519a2743df6

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE4F.exe

Filesize
448KB

MD5
96b1ef1f7b02b5dc96c390efc396f229

SHA1
710e52258d9f50f314d4de1dbbe124e0c1f0898f

SHA256
2c2f3977e5594800defaa0633c381d76cd02ea540af507ffbf64e11f71b21bb8

SHA512
804694fd1c71f9f1b03aaacf7c2458307e12cd65eda4d0a2363a94b5cb9bb21b1f5f2bb73e2f119e047c9c28623e04567620f7b494244c233d5e53e14b616938

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE4F.exe

Filesize
448KB

MD5
96b1ef1f7b02b5dc96c390efc396f229

SHA1
710e52258d9f50f314d4de1dbbe124e0c1f0898f

SHA256
2c2f3977e5594800defaa0633c381d76cd02ea540af507ffbf64e11f71b21bb8

SHA512
804694fd1c71f9f1b03aaacf7c2458307e12cd65eda4d0a2363a94b5cb9bb21b1f5f2bb73e2f119e047c9c28623e04567620f7b494244c233d5e53e14b616938

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5kS6iX1.exe

Filesize
97KB

MD5
a39bd4bcdd2f5e97762828c42dad63f3

SHA1
06faec5260886a6fd57045bb756d18ad229daff6

SHA256
8fc89c6833dd663e704ac1fda3a98ff591d9016ee1e9f6c397e45e0f569c518f

SHA512
1418d94768b95c25d195ff93d883485134ffd02e977e00e83ffcf1417fcd16c48b652ea6d46fc25915bea6f3074ea106f5ed2294c54afc503e6a91c25651a1d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5kS6iX1.exe

Filesize
97KB

MD5
a39bd4bcdd2f5e97762828c42dad63f3

SHA1
06faec5260886a6fd57045bb756d18ad229daff6

SHA256
8fc89c6833dd663e704ac1fda3a98ff591d9016ee1e9f6c397e45e0f569c518f

SHA512
1418d94768b95c25d195ff93d883485134ffd02e977e00e83ffcf1417fcd16c48b652ea6d46fc25915bea6f3074ea106f5ed2294c54afc503e6a91c25651a1d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Da3Rx56.exe

Filesize
960KB

MD5
531eb7fdaa2f714e7ee3493143d390fb

SHA1
235946bedabdd21502f9b86e43dc1046fddb0532

SHA256
ab1ba05f7565a7371f4c521cfe6ed9547e522d9efc2f2b0eff27434c45c6820a

SHA512
bd8cd47292007de37d752cbb0b18ebedc70f3ea667a79e6e86e0b449697bc254ef73a20126104d396f7e084e6f7d458f85bd3b67b160f7da428c1c63c28ae5d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Da3Rx56.exe

Filesize
960KB

MD5
531eb7fdaa2f714e7ee3493143d390fb

SHA1
235946bedabdd21502f9b86e43dc1046fddb0532

SHA256
ab1ba05f7565a7371f4c521cfe6ed9547e522d9efc2f2b0eff27434c45c6820a

SHA512
bd8cd47292007de37d752cbb0b18ebedc70f3ea667a79e6e86e0b449697bc254ef73a20126104d396f7e084e6f7d458f85bd3b67b160f7da428c1c63c28ae5d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4NT281oj.exe

Filesize
489KB

MD5
c1efb4204b02ac75a661df3e73fdb679

SHA1
81a0e1573059933b0325c1c81bf005afb88cdbc0

SHA256
75cf02d6a763598173b27e6620f6036e2b9e61b63320434b0b4b46071c852058

SHA512
c21222828455553737b9bdd3b3ef7395b989b35701ab53f893de21981fae50bd1e3e03eebe2912ddb06df7adf705d144bd703d95079f0cb0fbe3d0f6b296504b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4NT281oj.exe

Filesize
489KB

MD5
c1efb4204b02ac75a661df3e73fdb679

SHA1
81a0e1573059933b0325c1c81bf005afb88cdbc0

SHA256
75cf02d6a763598173b27e6620f6036e2b9e61b63320434b0b4b46071c852058

SHA512
c21222828455553737b9bdd3b3ef7395b989b35701ab53f893de21981fae50bd1e3e03eebe2912ddb06df7adf705d144bd703d95079f0cb0fbe3d0f6b296504b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rU6ZO79.exe

Filesize
655KB

MD5
55af12e1544bc7634d6217ce6c0f2a02

SHA1
9cd872e23f6080e01b6486078352c31f6324a68f

SHA256
b42108ec59bfbac755d3dc9bdf45cba0b96f82a89c8534ea6af1dca7f435a5fd

SHA512
a7ff471e01cf87ef9d7af07d0b3eefbcb75dac5a78c48b1e89e3098dc79e48ee96f77bd9935858b59c7c6bcd8807b243440e33e68931ef125c3f6947276fa3db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rU6ZO79.exe

Filesize
655KB

MD5
55af12e1544bc7634d6217ce6c0f2a02

SHA1
9cd872e23f6080e01b6486078352c31f6324a68f

SHA256
b42108ec59bfbac755d3dc9bdf45cba0b96f82a89c8534ea6af1dca7f435a5fd

SHA512
a7ff471e01cf87ef9d7af07d0b3eefbcb75dac5a78c48b1e89e3098dc79e48ee96f77bd9935858b59c7c6bcd8807b243440e33e68931ef125c3f6947276fa3db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Ga23OJ.exe

Filesize
295KB

MD5
7df97952cda214885bcfd407bdba6385

SHA1
cccc53eb4b1c8fab8f71d601a15db7cb4a6c9888

SHA256
974e3119fc1763989827ed8aeb943dea07e220ffa5293ea293bb28963bf03be0

SHA512
68d7bfeb03b46f2a36f66efd6c2a6404e950b0aa0dfccc5b287a1535e95aee9568ad4d18a693ad70dcc655e7849547db56ad931e5ec8adfb0ca4455d61d542ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Ga23OJ.exe

Filesize
295KB

MD5
7df97952cda214885bcfd407bdba6385

SHA1
cccc53eb4b1c8fab8f71d601a15db7cb4a6c9888

SHA256
974e3119fc1763989827ed8aeb943dea07e220ffa5293ea293bb28963bf03be0

SHA512
68d7bfeb03b46f2a36f66efd6c2a6404e950b0aa0dfccc5b287a1535e95aee9568ad4d18a693ad70dcc655e7849547db56ad931e5ec8adfb0ca4455d61d542ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xw2Nn48.exe

Filesize
404KB

MD5
d4667f2d494be453ae038c1738dbe60d

SHA1
037c7a575d91ef86b072c486f246ff32f0076cf0

SHA256
c8b3d5be2634f239052ba1e7a8be8fd23b360da826c84b44c79dfe7a2068d9ba

SHA512
dc353186846e07865d89ca91f43b671703e0c870c94decdf5df1a844105bc0900bf7e38625d5b496eae63cb21302faaee1d0f1dc9dd7f86d1253eb05cc771b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xw2Nn48.exe

Filesize
404KB

MD5
d4667f2d494be453ae038c1738dbe60d

SHA1
037c7a575d91ef86b072c486f246ff32f0076cf0

SHA256
c8b3d5be2634f239052ba1e7a8be8fd23b360da826c84b44c79dfe7a2068d9ba

SHA512
dc353186846e07865d89ca91f43b671703e0c870c94decdf5df1a844105bc0900bf7e38625d5b496eae63cb21302faaee1d0f1dc9dd7f86d1253eb05cc771b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wI8GV1hb.exe

Filesize
947KB

MD5
12b3221471eba9e933de6dba3975c1ae

SHA1
5b1b70053390972b985f73b4babf736f09cc6a06

SHA256
c69787000aed22c5851fe5372ff730f7ca504ddb49a9e439e0f3f9b0dc7e3bdb

SHA512
b672564d85f056361f87fd31c4c579746e9c9fa3eaeb1f83686d6341840261f5d08f397a28ee3eb92fae1895b6041f8e39a1a6422d98dbd61af652d459721228

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wI8GV1hb.exe

Filesize
947KB

MD5
12b3221471eba9e933de6dba3975c1ae

SHA1
5b1b70053390972b985f73b4babf736f09cc6a06

SHA256
c69787000aed22c5851fe5372ff730f7ca504ddb49a9e439e0f3f9b0dc7e3bdb

SHA512
b672564d85f056361f87fd31c4c579746e9c9fa3eaeb1f83686d6341840261f5d08f397a28ee3eb92fae1895b6041f8e39a1a6422d98dbd61af652d459721228

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1aZ93vP4.exe

Filesize
276KB

MD5
a6a98ef514d6c82990051b153c3a894c

SHA1
b4127a243e6a6420155317b535385f4cc76c2377

SHA256
233ac3bee26a20abcc2086d26c89836e3f8bdd8e0a594e246784362b20d56291

SHA512
99a977315d4a91101ce4b5d786ce2e9289f20ac2dc87ba960b7d2b0219e7ed04242a9ddaf4fa57456bfc69c3a7796e41b5a7fe7c63744389b308c622b5ae3b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1aZ93vP4.exe

Filesize
276KB

MD5
a6a98ef514d6c82990051b153c3a894c

SHA1
b4127a243e6a6420155317b535385f4cc76c2377

SHA256
233ac3bee26a20abcc2086d26c89836e3f8bdd8e0a594e246784362b20d56291

SHA512
99a977315d4a91101ce4b5d786ce2e9289f20ac2dc87ba960b7d2b0219e7ed04242a9ddaf4fa57456bfc69c3a7796e41b5a7fe7c63744389b308c622b5ae3b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2LC5346.exe

Filesize
447KB

MD5
b0b76150b7bc459ffd3b3f50b9f02dd8

SHA1
637232bfa70a287c255f27b19747a70b79910c53

SHA256
34e2b5a9af0d47eb6c55196123ae2ebdd662740290809c05b3ec0cdc43ca977e

SHA512
c32c9900a5bc8f5d1593676b25d622dc0e91a2f4351f7f194338a0d8386bf1efcc0712471d36bf47904cd54554601d1dca6f0e8b408bba4592b2da3f71513db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2LC5346.exe

Filesize
447KB

MD5
b0b76150b7bc459ffd3b3f50b9f02dd8

SHA1
637232bfa70a287c255f27b19747a70b79910c53

SHA256
34e2b5a9af0d47eb6c55196123ae2ebdd662740290809c05b3ec0cdc43ca977e

SHA512
c32c9900a5bc8f5d1593676b25d622dc0e91a2f4351f7f194338a0d8386bf1efcc0712471d36bf47904cd54554601d1dca6f0e8b408bba4592b2da3f71513db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kG8Vz5sR.exe

Filesize
1.1MB

MD5
2d7034090f894fe7c462c890e56ad912

SHA1
16c2b8c79bf89d5765dd059158fa01ef68009568

SHA256
a8aa41259dada6c4bfb1c0ad86185887a3430d7f7427b1f205d2134155feaf7e

SHA512
04f779721945a896dceacca254477c99a2c6ddd5206944abb7d73d84e78323424ea12150b7d0f74eebaa52131e81ad509a25b88a05d1b675bab7bc66cf17cea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kG8Vz5sR.exe

Filesize
1.1MB

MD5
2d7034090f894fe7c462c890e56ad912

SHA1
16c2b8c79bf89d5765dd059158fa01ef68009568

SHA256
a8aa41259dada6c4bfb1c0ad86185887a3430d7f7427b1f205d2134155feaf7e

SHA512
04f779721945a896dceacca254477c99a2c6ddd5206944abb7d73d84e78323424ea12150b7d0f74eebaa52131e81ad509a25b88a05d1b675bab7bc66cf17cea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iX4rG7xq.exe

Filesize
646KB

MD5
f22a72c90e1c492c3f33e2bb78d7ca5c

SHA1
effb29909e50d33672a1046ddc68b52832170a28

SHA256
b6abeb4635836e7acdf66c76d83ea87f462d09e18c883f1a1e4dccec0425f276

SHA512
ef1e36add1e7376547afef3e5d5ee03f7a4e5d4d7aebc24fd0022af77e39a561d5ebc9959fc7ab80bf7e3f462df15423ae1f0c6f51f28a7da6f45cb0d52974b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iX4rG7xq.exe

Filesize
646KB

MD5
f22a72c90e1c492c3f33e2bb78d7ca5c

SHA1
effb29909e50d33672a1046ddc68b52832170a28

SHA256
b6abeb4635836e7acdf66c76d83ea87f462d09e18c883f1a1e4dccec0425f276

SHA512
ef1e36add1e7376547afef3e5d5ee03f7a4e5d4d7aebc24fd0022af77e39a561d5ebc9959fc7ab80bf7e3f462df15423ae1f0c6f51f28a7da6f45cb0d52974b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\hc3fE5ZP.exe

Filesize
451KB

MD5
495f5c4698b5d3acc2e57902d6cce7d3

SHA1
7ed48bd9f71e504d2292b07a3ab401adf19b0c1d

SHA256
2ac2a5799cecf8644a61d3eecd5efa4df1133b7c8d316796d14be5f4438e23fc

SHA512
71790128ec91caa7f722f6074341b984a907904b6e58cb29e97bdd5c340295a330e5bf65e601823cee52c5ab16bf5a4a7a672afe5f95c587ee3e8185e7c8ef56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\hc3fE5ZP.exe

Filesize
451KB

MD5
495f5c4698b5d3acc2e57902d6cce7d3

SHA1
7ed48bd9f71e504d2292b07a3ab401adf19b0c1d

SHA256
2ac2a5799cecf8644a61d3eecd5efa4df1133b7c8d316796d14be5f4438e23fc

SHA512
71790128ec91caa7f722f6074341b984a907904b6e58cb29e97bdd5c340295a330e5bf65e601823cee52c5ab16bf5a4a7a672afe5f95c587ee3e8185e7c8ef56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1IJ35UM4.exe

Filesize
448KB

MD5
96b1ef1f7b02b5dc96c390efc396f229

SHA1
710e52258d9f50f314d4de1dbbe124e0c1f0898f

SHA256
2c2f3977e5594800defaa0633c381d76cd02ea540af507ffbf64e11f71b21bb8

SHA512
804694fd1c71f9f1b03aaacf7c2458307e12cd65eda4d0a2363a94b5cb9bb21b1f5f2bb73e2f119e047c9c28623e04567620f7b494244c233d5e53e14b616938

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1IJ35UM4.exe

Filesize
448KB

MD5
96b1ef1f7b02b5dc96c390efc396f229

SHA1
710e52258d9f50f314d4de1dbbe124e0c1f0898f

SHA256
2c2f3977e5594800defaa0633c381d76cd02ea540af507ffbf64e11f71b21bb8

SHA512
804694fd1c71f9f1b03aaacf7c2458307e12cd65eda4d0a2363a94b5cb9bb21b1f5f2bb73e2f119e047c9c28623e04567620f7b494244c233d5e53e14b616938

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1IJ35UM4.exe

Filesize
448KB

MD5
96b1ef1f7b02b5dc96c390efc396f229

SHA1
710e52258d9f50f314d4de1dbbe124e0c1f0898f

SHA256
2c2f3977e5594800defaa0633c381d76cd02ea540af507ffbf64e11f71b21bb8

SHA512
804694fd1c71f9f1b03aaacf7c2458307e12cd65eda4d0a2363a94b5cb9bb21b1f5f2bb73e2f119e047c9c28623e04567620f7b494244c233d5e53e14b616938

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
229KB

MD5
78e5bc5b95cf1717fc889f1871f5daf6

SHA1
65169a87dd4a0121cd84c9094d58686be468a74a

SHA256
7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966

SHA512
d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

Download Submit
C:\Users\Admin\AppData\Roaming\gdhvfuu

Filesize
101KB

MD5
89d41e1cf478a3d3c2c701a27a5692b2

SHA1
691e20583ef80cb9a2fd3258560e7f02481d12fd

SHA256
dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

SHA512
5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

Download Submit
C:\Users\Admin\AppData\Roaming\gdhvfuu

Filesize
101KB

MD5
89d41e1cf478a3d3c2c701a27a5692b2

SHA1
691e20583ef80cb9a2fd3258560e7f02481d12fd

SHA256
dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

SHA512
5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

Download Submit
memory/244-134-0x0000000007B00000-0x00000000080A4000-memory.dmp

Filesize
5.6MB

Download
memory/244-91-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/244-137-0x0000000007610000-0x0000000007620000-memory.dmp

Filesize
64KB

Download
memory/244-104-0x00000000736A0000-0x0000000073E50000-memory.dmp

Filesize
7.7MB

Download
memory/244-140-0x00000000076F0000-0x00000000076FA000-memory.dmp

Filesize
40KB

Download
memory/1340-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-38-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-46-0x00000000030A0000-0x00000000030B6000-memory.dmp

Filesize
88KB

Download
memory/3300-47-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3300-45-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3300-44-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3596-123-0x0000000000F00000-0x0000000000F0A000-memory.dmp

Filesize
40KB

Download
memory/3596-136-0x00007FF861B20000-0x00007FF8625E1000-memory.dmp

Filesize
10.8MB

Download
memory/3820-77-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3820-74-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3820-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3820-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-135-0x0000000007790000-0x0000000007822000-memory.dmp

Filesize
584KB

Download
memory/4452-121-0x00000000736A0000-0x0000000073E50000-memory.dmp

Filesize
7.7MB

Download
memory/4560-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4560-29-0x0000000073F90000-0x0000000074740000-memory.dmp

Filesize
7.7MB

Download
memory/4560-30-0x0000000073F90000-0x0000000074740000-memory.dmp

Filesize
7.7MB

Download
memory/4560-32-0x0000000073F90000-0x0000000074740000-memory.dmp

Filesize
7.7MB

Download